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DESCRIPTION 

System for selective data transmission 

The invention relates to a system for selective data transmission, a sender and receiver 
for use in a corresponding system, a broadcasting system, a method for selective data 
5 transmission and a method for operating a system including a sender and a plurality of 
receivers. 

In a data transmission system, data is transmitted from a sender over a channel to at 
least one out of a plurality of receivers. The physical channel used for data transmission 
10 is outside of the scope of the present invention, and can include any known form of data 
transmission method and any type of media. The issue addressed in the present disclo- 
sure is how to transfer data selectively to one ore more receivers, and to exclude other 
receivers from receiving the data. This selectivity is achieved by an encryption scheme 
specifically adapted for this task. 

15 

Corresponding systems, senders, receivers, and methods are already known. The data 
sent over the channel is scrambled, and the necessary key information to descramble the 
data is in advance distributed among the receivers, so that the desired selectivity - 
which receivers can and which receivers cannot decrypt the message - is achieved. Due 
20 to the encryption employed, these systems are well suited for broadcasting applications, 
where the channel and method of transmission do not limit the number of receivers. 

Data transmission from a sender to a plurality of receivers is termed "multicast" or 
"point-to-multipoint" transmission. Selective multicast transmission is already applied 
25 in areas like pay-TV. But even internet communication as well as mobile communica- 
tion may make use of selective multicast. 
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One way to achieve a selective multicast system is to distribute in advance a scrambling 
key - here termed "multicast key" -^tothe sender andall receivers authorized to receive 
the data (here termed a "multicast group"). This method, however, is not very flexible 
with regard to membership changes. If a previously authorized receiver leaves the mul- 
5 ticast group, the previously used multicast key (shared secret) needs to be changed, so 
that further transmissions are no longer readable for the excluded receiver. A new mul- 
ticast key needs to be transmitted safely and selectively only to the remaining receivers. 
In some applications, like pay-TV including pay-per-view systems, membership may be 
highly dynamic. For theses applications the overhead associated with the necessary key 
1 0 changes must be kept small. 

A system which could be used fOTliynamic ^ membership comprises assigning a unique 
key to each receiver. This allows the sender, who holds all of the individual receiver's 
keys, a secure unicast (point-to-point) communication with each receiver. It would be 
1 5 possible to use this system for secure multicast by establishing a multicast key, and to 
distribute the multicast key from the sender to each of the authorized receivers in en- 
crypted form, using each receiver's individual key. Thus, a multicast group can be estab- 
lished, which can securely communicate data encrypted with the multicast key, exclud- 
ing non-authorized receivers. 

20 

The above described system, although placing low receiver-side demands for storage of 
keys, would however lead to enormous bandwidth requirements for changing the multi- 
cast-key, which would, for N receivers, comprise N transmissions of that key. Consider- 
ing, that, for example in pay-TV applications, the multicast-key would be changed quite 
25 often, for example every minute, these bandwidth requirements become unacceptable 
for large multicast groups. 

An example of a system for selective data transmission which addresses the above prob- 
lem is given in US-A-6049878. The system includes a sender and a number of receivers. 
30 At each receiver, multiple keys are accessible. A multicast key (here termed TEK, traf- 
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fic encryption key) is shared with the sender and all other receivers. Additionally, each 
receiver holds a plurality of key encryption keys (KEK). The logical stracture of the 
system is that of a binary tree, with the sender being the root and the receivers being the 
leaves. Each leaf holds the keys arranged in the path from root to leaf. 

5 

In case of leave operations, i. e. a receiver is no longer authorized to receive data, every 
key in the path to the leaving sender is changed in a bottom-up fashion. The multicast 
key (TEK) is then changed to exclude the leaving receiver. Further traffic is scrambled 
using the new, changed TEK, which can no longer be read by the leaving receiver. 

10 

The system and method disclosed in US-A-6049878 succeed to reduce the bandwidth 
requked in case of leave operations. However, for every leave operation, still the re- 
keying of a complete path in the logical tree is necessary. 

15 It is thus the object of the present invention to propose a system and a method for selec- 
tive data transmission, as well as a sender and receiver for use in a corresponding sys- 
tem, as well as a broadcasting system and a method for operation of the above system, 
which is well suited for communication in a highly dynamic multicast group. 

20 According to the invention, this object is solved by a system according to claim 1 , a 
sender and receiver for such a system according to claims 10 and 11, a broadcasting 
system according to claim 12, a method for selective data transmission according to 
claim 13 and a method for operating a system according to claim 15. 

25 A central idea of the invention is to achieve selective data transmission by employing 
recursive encryption with a number of consecutively used keys. This recursive encryp- 
tion, which in the present context will also be referred to as "key chaining", involves 
encrypting data with a first key to obtain first encrypted data, and to encrypt the first 
encrypted data further using a second key to obtain second encrypted data, and so on. 

30 Obviously, the finally obtained result after recursive encryption with a number of keys 
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can only be read after recursive decryption with the same keys (generally in reverse or- 
der, if the order is important) . To read correspondingly recursively encrypted ^to, the 
complete combination of keys used in the recursive encryption process needs to be 
available to a receiver. Thus, by distributing different key combinations to different re- 
5 ceivers, a desired selectivity (i. e. which receivers can read a message and which cannot) 
can be achieved by encrypting the message recursively with keys shared by authorized 
receivers. Unauthorized receivers are excluded by using at least one key in the recursive 
encryption chain which is not held by the unauthorized receivers. 

10 A basic system and method according to the invention includes a sender and at least two 
receivers. The sender has encryption means associated therewith, and holds a plurality 
of base keysTEach receiver has associated decryption means, which eacBTEold"a receiver" 
set of keys. The receiver sets are a subset of the base keys, and are preferably pairwise 
not contained in each other. 

15 

For selective data transmission from the sender to the second receiver, the encryption 
means use at least two of the base keys for recursive encryption. The used base keys are 
chosen such that they are both (or all, in the case of more than two) contained in the 
receiver set of the (authorized) second receiver. They are also chosen such that at least 
20 one of the keys used is not comprised in the receiver set of the first receiver, which is to 
be excluded. 

A piece of data, which is thus recursively encrypted and sent over the transmission 
channel may be picked up at both receivers. But while the (authorized) second receiver 
25 can recursively decrypt the data, the (unauthorized) first receiver lacks at least one key 
and can therefore not decrypt the data. 

According to a development of the invention, the system and method are used for selec- 
tive multicast. A multicast group consisting of the above described second and a further 
30 third receiver are authorized to receive the data. Accordingly, the keys used in the recur- 
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sive encryption are chosen such that all of them are contained in the receiver sets of the 
(authorized) second and third "receiver, while at least one of the used keys is not con- 
tained in the receiver set of the (unauthorized) first receiver. 

5 It should be noted that the invention is applicable to a wide range of applications. The 
used channel can be any type of transmission method and/or medium. Also, practically 
any encryption method which uses a key to encrypt data can be used. This specifically 
implies the use of both symmetric and asymmetric encryption methods. Symmetric en- 
cryption methods use the same key for encryption and decryption, while in asymmetric 

10 encryption methods, the "key" is actually a key pair, of which one key part (usually re- 
ferred to as the "public" key) is used for encryption and the other part ("secret key") is 
used for decryption. Both Ttypesbf methods can be used in a system according folhe 
invention. The system is also not limited to a specific number of receivers. Obviously, 
the advantages of the system become more apparent in a larger system, i. e. with a 

15 higher number of receivers, e. g. more than 20, 50, 100, 1000 or above. As will be de- 
scribed in connection with preferred embodiments below the use of relatively few base 
keys already allows to address (i. e. assign a different combination to) a very large num- 
ber of receivers. 

20 In the general case of a plurality of receivers, which each hold a unique receiver set of 
keys, data is to be transmitted selectively to an authorized group out of the plurality of 
receivers. To achieve this, the encryption means at the sender encrypt the data recur- 
sively with a plurality of keys, i. e. a specific combination of base keys. This specific 
combination is chosen such that all of the keys used in the combination are held by the 

25 receivers of the authorized group. The receivers of this group are consequently able to 
recursively decrypt the data using exactly this key combination. On the other hand, the 
key combination is chosen such that for each unauthorized receiver, at least one of the 
keys out of the combination is not comprised in the corresponding receiver set of that 
receiver. Thus, each of the unauthorized receivers lacks at least one key to decrypt the 

30 data, and consequently none of the unauthorized receivers can read the clear text data. 
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According to a further development, selective transmission of data to an authorized 
group of receivers is achieved in multiple transmissions by dividing the authorized 
group into a plurality of subgroups. This may be necessary in cases where selective 
5 transmission to a specifically designated group of authorized receivers is called for, but 
there is no single key combination available which satisfies the above demands to en- 
sure selective multicast hi these cases, the same data is transmitted multiple times en- 
crypted with a different set of keys, i. e. a different key combination. Each of the differ- 
ent key combinations used satisfies the above given demands, i. e. all keys in the com- 
10 bination are held by the receivers of the corresponding subgroup, and each further re- 
ceiver, not belonging to that subgroup, lacks at least one key out of the combination. 



According to a development of the invention, a specific class of encryption methods is 
proposed. The preferred class of encryption methods includes, during encryption, calcu- 

1 5 lation of at least one exponentiation with a key number. This class of encryption method 
relies on the fact that the inverse operation (discrete logarithm problem) is not easily 
solvable. Recursive encryption with a number of keys, as described above, which would 
normally comprise recursive exponentiation with the key numbers can thus be calcu- 
lated as a simple multiplication of key numbers and only one exponentiation with the 

20 result of the multiplication. Since exponentiation operations are computationally expen- 
sive, and multiplication operations are not, the use of an encryption method out of the 
preferred class greatly reduces computational effort during recursive encryption. Pref- 
erably, the chosen encryption method also allows decryption using a plurality of keys in 
the same way, i. e. by multiplying key numbers and only one exponentiation operation 
25 with the result thereof. An example of a corresponding encryption method is the well 
known RSA algorithm. 

According to a farther development of the invention, an issuing scheme is proposed 
where the whole of receivers is subdivided into a plurality of groups. For each group, a 
30 communication scheme as described above is established: For each group, a group set 
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of base keys is available. The receivers which belong to a certain group hold keys which 
are a subset of the group set of that group. The group^ets of different groups are pair- 
wise different, and preferably even pairwise disjoint. 

5 The subdivision of the total of receivers into a plurality of groups makes it possible to 
address a very large number of receivers, with a relatively small number of keys which 
need to be stored at each receiver. 

While it is generally possible that different receivers hold different numbers of base 
10 keys, it is preferred that each receiver holds the same number of base keys, i. e. the re- 
ceiver sets have the same cardinal number. 



As explained above, the system and method according to the invention may be em- 
ployed for secure, selective multicast to a group of authorized receivers while excluding 

1 5 unauthorized receivers. As further explained, this may be achieved by encrypting the 
message recursively with a combination of keys, which needs to be carefully chosen. 
While it is generally preferable to find a single key combination which includes all au- 
thorized receivers and excludes all unauthorized receivers, this may not be possible with 
a given key distribution (issuing scheme) and a specific scenario of author- 

20 ized/unauthorized receivers (joining vector). In these cases, as explained above, multi- 
ple transmissions with a plurality of key combinations may be used for sequentially 
transferring the message multiple times, each time encrypted with a different combina- 
tion, such that finally all authorized receivers may receive the message. 

25 To determine the above described one or more combinations according to a develop- 
ment of the invention, the sender has associated storage means with information about 
authorized and/or unauthorized receivers, and distribution control means for determin- 
ing one or more combinations of base keys to be used for transmitting a message selec- 
tively to the authorized receivers, while excluding unauthorized receivers. It is of course 
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preferred that the distribution control means determine a minimum number of combina- 
tions of base keys necessary to achieve the above specified selective transmission. 

A further development of the invention relates to the distribution of base key combina- 
tions among the receivers (issuing scheme). Consider a number N of receivers, a num- 
ber k of base keys existing at the sender, and each receiver holds a number m of these 
base keys, hi this scenario, there are k over m different combinations of the available 
base keys possible, so that a maximum of k over m receivers could be addressed. An 
issuing scheme, where all or nearly all possible combinations of base keys are indeed 
distributed to the receivers will be called "exhaustive", while schemes were only a 
minimum of the available key combinations is actually in use will be called "in- 
exhausti^";Differeht issuing schemes were evaluated with the regard to their redun- 
dance. By redundance it is understood how many transmissions (combinations of base 
keys) are necessary under specific given circumstances. The applied criteria may be an 
average redundance taken over a large number of possible joining scenarios (combina- 
tions of authorized/imauthorized receivers), or a worst case redundance, which indicates 
the highest number of necessary transmissions taken over a large number of scenarios. 

It has been found that generally a lower redundance (i. e. fewer number of transmissions 
necessary) was achieved with medium exhaustive issuing schemes, i. e. schemes where 
k over m is substantially greater than N (preferably at least 10%, or even more than 
25%). Instead of actually using all possible combinations, it is thus proposed to use only 
a limited part of them to achieve better performance. Also, as very in-exhaustive issuing 
schemes are generally a waste of resources and in some cases even show poor perform- 
ance, it is generally preferred to use schemes where k over m is bounded by a power of 
N with a moderate exponent, e. g. k over m < N A 10. This would correspond to using a 
number oEbase keys which is maximally roughly ten times greater than the required 
minimum. 



-9- 



PHDE040036 EPP 



According to a further development of the invention, the base keys do not necessarily 
remain the same throu^tout the complete operation. Under several circumstances it may 
at times be desirable to exchange one ore more of the base keys, e. g. out of security 
reasons. Of course, the new base keys have to be communicated to the receivers, but 
5 selectively only to those receivers, which are authorized to hold the exchanged base 
keys. This is achieved by using, after generation of one or more new base key, the above 
described system and method for selective data transmission for selectively transmitting 
the new base key to exactly those receivers which should receive it. 

1 0 The sender according to the invention may be used in the above described transmission 
system. The sender holds a plurality of base keys. Encryption means are configured to 
encrypt dSaTrecufsively as described above. 

In the same way, the receiver according to the invention has decryption means which 
1 5 hold a receiver set of keys and are configured to decrypt encrypted data recursively with 
a number of these keys. 

The invention further relates to a broadcasting system. A broadcasting system comprises 
the transmission system described above, with a sender and a plurality of receivers. The 

20 broadcasting system further comprises a broadcasting sender, which broadcasts scram- 
bled content. The content is scrambled using scrambling means, and a scrambling key. 
It should be noted, that the term "scrambling" here relates to any sort of encryption, and 
is preferably a block cipher. The term "scrambling" is used here instead of "encrypting" 
to distinguish the content scrambling operation from the above described encryption of 

25 messages. 

The scrambled content is continuously broadcast, so that in principle the number of re- 
ceivers which receive this broadcast is not limited. However, receivers need the scram- 
bling key to de-scramble the scrambled content. The scrambling key is selectively 
30 transmitted to authorized receivers by the transmission system described above. It 
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should be noted, that the broadcasting sender and the sender from the transmission sys- 
tem may be one and the same, but this is not necessary. 

The invention further relates to a method for operating a system including a sender and 
a plurality of receivers. The method comprises the steps of determining an issuing 
scheme, generating base keys, and distributing base keys to joining receivers. Issuing 
schemes have been mentioned above. As discussed, different issuing schemes greatly 
vary in performance because of different redundance. Since the redundance directly 
corresponds to the bandwidth necessary during operation of the system, a good aver- 
age/worst case redundance is highly desirable. It is thus recommended to determine, in 
advance, an issuing scheme given a number of base keys, a (maximum) number of re- 
ceivers and a number of base l^s~stored^t each of these receivers. The generationof — 
this issuing scheme (i e. a plan, how base key combinations should be distributed 
among the receivers) may be computationally quite expensive. But this step is prefera- 
bly carried out in advance, so that no real time criteria have to be satisfied. Further, the 
step can be done once and for all, because the issuing scheme is completely independent 
of the actual base keys, and also of the encryption scheme actually used. 

In the following, preferred embodiments of the invention will be described with refer- 
ence to the drawings, where 

fig. 1 shows a symbolic representation of an embodiment of a transmission system 

according to the invention; 
fig. 2a shows a symbolic representation of a sender of the system shown in fig. 1, with 

recursive encryption means; 
fig. 2b illustrates in a symbolic representation steps of recursive encryption; 
fig. 3a shows a symbolic representation of a receiver out of fig. 1, with a decryption 

system; 

fig. 3b illustrates in a symbolic representation steps of recursive decryption; 
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fig. 4 shows in symbolic representation a first communication example with unicast 
communication; 

fig. 5 shows in a symbolic representation a second communication example with mul- 
ticast communication to a first group of receivers; 
5 fig. 6 shows in a symbolic representation a third communication example with multi- 
cast communication to a second group of receivers; 
fig. 7 shows a table with a first issuing scheme; 
fig. 8 shows a table with a second issuing scheme; 
fig. 9 shows a table with a third, grouped issuing scheme; 
10 fig. 10 shows an embodiment of a broadcasting system; 

fig. 1 la shows a symbolic representation of a scrambling system; 

fig. 1 lb shows a symbolic r^res^taticSTof a de-scrambling system and 

fig. 12 shows a sequence of scrambled content pieces. 

15 Fig. 1 shows a basic transmission system 10 according to an embodiment of the inven- 
tion. The system 10 comprises a sender S and a number of receivers, Rl, R2, R3, R4. 
The sender S is connected to each of the receivers Rl 3 R2, R3, R4 via a channel C. 
Channel C in the present example allows communication only uni-directional from the 
sender to the receivers. The channel is of such a nature that data sent from sender S can 

20 be received at each of the receivers Rl, R2, R3, R4. It should be noted that system 10 is 
a general example, and that channel C can include any type of media and transmission 
method, like for example radio broadcast over the air, data transmission in a computer 
network or others. 

25 Sender S is connected to a database 12 which stores a number of cryptographic keys kl, 
k2, k3, k4. Each of this keys may be used to encrypt data using an encryption scheme. In 
the preferred embodiment, the encryption scheme used is the RSA algorithm, and keys 
kl, k2, k3, k4 are RSA public keys. This encryption scheme will be explained further 
below. It should be noted, however, that the invention is not limited to this specific en- 

30 cryption scheme, but instead any encryption scheme could be employed. 
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The keys kl, k2, k3, k4 will further be called the base keys~<xf the system 10. They form 
a base key set, the cardinal number of which in the example given is 4. It should be 
noted, however, that in a preferred system according to the invention, there will be a 
5 larger number of base keys, and also a far lager number of receivers. 

Each of the receivers R1,R2,R3,R4 has a local database 14.1, 14.2, 14.3, 14.4. In each 
of the databases 14.1, 14.2, 14.3, 14.4, cryptographic keys are stored. Each database 
14. 1, 14.2, 14.3, 14.4 stores a different combination of base keys, which is here referred 
10 to as the receiver set of the associated receiver Rl, R2, R3, R4. For example, the re- 
ceiver set of the first receiver Rl stored in database 14. 1 comprises base keys kl, k2, k3, 
while the receiver set of the second receivCTia^OTed"m dafebase "14.2 comprises base" 
keys kl, k3, k4. 

1 5 The different combinations of base keys may also be referred to as establishment keys. 
In total, there are k base keys available (in the present example, k is equal to 4). There 
are thus 2 k -l combinations of these base keys available, hi the preferred embodiment, 
however, as in the example of fig. 1, each of the receiver sets of keys comprises the 
same number of base keys, i. e. has the same cardinal number m (in the example of fig. 

20 l,m equals 3). 



available combinations are distributed to the receivers Rl, R2, R3, R4. The choice, how 
many base keys should be available, how many keys should be stored at each receiver, 
and which combinations of keys should be used is here called an "issuing scheme". Issu- 
30 ing schemes will be further discussed below. 



There are thus different key combinations \^ m j available, so that this number of 
receivers with different receiver key sets maybe present. In the example of fig. 1, all 4 




As shown in fig. 2a, the sender S from fig. 1 comprises a message unit 22, a recursive 
encryption unit 24 and a sending unit 26. Message unit 22 delivers data D, which is en- 
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crypted in encryption unit 24 to encrypted data D\ Encrypted data D f is delivered to 
sending unit 26 to be sent over channel C. 

Encryption unit 24 includes database 12 with base keys kl, k n , and an encryption 
module 26- Encryption module 26 takes input data D and a cryptographic key k and 
5 encrypts data D with a key k. As stated above, the actual encryption method imple- 
mented in encryption module 26 is not limited There are a large number of encryption 
methods known. In the preferred embodiment, the RSA algorithm is used. Although the 
details of the RSA encryption algorithm are well known to the skilled person, the algo- 
rithm will be briefly summarized: 

10 

The key in the RSA encryption algorithm is actually a key pair, comprising a public key 
and a private l^yT The public key corresponds toa number e, which is relatively prime 
to (p-l)(q-l), where p and q are large prime numbers, which are kept secret. The private 
key corresponds to a number d, such that d*e mod ((p-l)(q-l)>=l. Also public is the 
15 base n, which is the product of the large prime numbers p and q. During encryption, a 
message corresponding to a number x with 0<x<n is encrypted using only the known 
base n and the public key e as y:=x e mod n. Decryption, on the other hand necessitates 
the private key d, and is done by x=y d mod n. 

20 In the example of fig. 2a, the encryption module 26 encrypts data D with a single RSA 
encryption step as described above. 

However, the total of encryption unit 24 implements a special encryption using a num- 
ber of keys from database 12, which involves several calls of module 26 and will here 
25 be referred to as recursive encryption. Fig. 2b illustrates the course of this encryption. 
Input data D is first passed through encryption module 26 for a first time, and is en- 
crypted using a first key kl . The obtained encrypted data is then passed through encryp- 
tion module 26 a further time, and is further encrypted using a second key k2. This re- 
cursive procedure is continued until encryption has been effected with all of a desired 
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combination of keys kl, k2 ... k n . The finally obtained encrypted data D' is the final re- 
sult of this recursive encryption process. 

Fig. 3a shows a generic receiver R, which corresponds to the receivers Rl, R2, R3, R4 
5 from fig. 1 . Receiver R includes a receiving unit 32, a decryption unit 34 and a process- 
ing unit 36. The broadcast data from the sender is received at receiving unit 32. The re- 
ceived data is decrypted in decryption unit 34 and delivered to processing unit 36 for 
further processing. 

1 0 Analogous to the recursive encryption explained with regard to fig. 2a, 2b, decryption is 
also effected recursively. A decryption module 38 is employed recursively with a num- 
ber of Keys"k n rk n _i7 ."ki. The course of the recursive decryption is"sTio^ symbolically 
in fig. 3b, where in each step the decrypted data from the previous step is further de- 
crypted using the next key. 

15 

Since generally encryption operations, such as that performed in encryption module 26, 
may require a large number of computations, recursive encryption with a number of 
keys could potentially become a computationally complex task. If, however the encryp- 
tion method used is RSA, and all keys kl, k2 ... used share the same base n, the recur- 
20 sive encryption process can be simplified. Instead of multiple, recursive exponentiation 
operations, multiplication of the exponents can be effected: 

y = (...((** ) e2 )..)* modw = mo dn 
25 In the same way, recursive decryption can be simplified as: 

x = ((..(y^Tf ™dn = y «™*~™ mod* 

30 

It may be possible, that using multiple RSA keys with the same base n will reduce key 
security. However, the savings with the regard to calculation are enormous. Thus, for 
many applications, the tradeoff of lesser security vs. drastically limited computational 
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demands may be acceptable. For example in pay-TV applications, total key security may 
not be absolutely critical, and low use7~side demands for decryption hardware provide a 
great advantage. 

5 The potential security problem may be reduced, at the expense of increased computa- 
tional complexity, by not choosing all keys with the same base n, but to have subsets of 
keys, e. g. with 2-10 keys each, which have the same base, but where the base is differ- 
ent for different groups. Chaining of keys out of the same subset may then be performed 
by multiplication, but chaining of keys out of different subsets will require multiple 
1 0 exponentiation operations. 

Fig. 4 shows a first coinmumcaHbn example within system 10. The setup of system 10~ 
is as shown in fig. 1 . The sender has an encryption unit 24 (not shown in fig. 4) which 
holds base keys kl, k2, k3, k4. Each of the receivers Rl, R2, R3, R4 have a decryption 
15 unit 34.1, 34.2, 34.3, 34.4 associated, and a database 14.1, 14.2, 14.3, 14.4 which holds 
the individual receiver's receiver set of keys. 

In the first example, sender S sends data corresponding to a clear text message 40. The 
message 40, however, is not sent in clear text, but as encrypted data 42. As shown in 
20 fig. 4, the clear text message 40 was recursively encrypted using base keys k4, k3 and 
kl in that order. 

The encrypted message 42 is sent to all receivers Rl, R2, R3, R4. All receivers receive 
the message, and try to decrypt it. However, only the second receiver R2 has the key 
25 combination (base keys kl , k3, k4) necessary to decrypt message 40. All other receivers 
Rl, R3 and R4, lack at least one base key: receiver Rl does not hold the required base 
key k4, R3 does not hold k3, and R4 does not hold kl . 



30 



Thus, in the system 10 it is possible to conduct a unicast communication (from sender S 
to receiver R2) the clear text of which cannot be received by any other receiver. 
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Fig. 5 shows a second communication example within sy^emTo. Again, the setup is as 
given in fig. 1. Sender S sends message 40 recursively encrypted using base keys k4, kl 
as encrypted message 52. The encrypted message 52, which is received at all receivers 
Rl, R2, R3, R4, can only be decrypted by those receivers which holds both base keys kl 
and k4, i. e. the second receiver R2 and the third receiver R3. The other receivers each 
lack one key for decryption: Rl does not hold k4, and R4 does not hold kl . Thus, fig. 5 
shows an example of a secure multicast (from sender S to the group comprising receiv- 
ers R2 and R3), which cannot be decrypted by any other receiver. 

Fig. 6 shows a third communication example within system 10. The third communica- 
tion example is complementary to the secohdlsdm^ shown in fig. 5. 
Sender S sends encrypted data 62, which corresponds to message 40 recursively en- 
crypted with keys k2 3 k3. In the same manner as above, fig. 6 shows an example of se- 
cure multicast from sender S to receivers Rl and R4, exclusively. 

Generally, although not shown in figs. 4-6, the encrypted message should contain in- 
formation about which keys are necessary to decrypt it (and in which order, if the order 
is important). 

What has above been demonstrated using the simple example from fig. 1, with only 4 
base keys and only 4 receivers is generally true and can easily be applied to scenarios 
with a large number of receivers. 

In each case, there will be a certain number of receivers authorized to receive a trans- 
mission, while the rest of the receivers is not authorized. To represent this, a joining 
vector is defined which is a list of numbers being either 0 or 1 corresponding to the set 
of all receivers. The joining vector contains a 1 entry for authorized receivers, and a 0 
entry for unauthorized receivers. For the first communication example of fig. 5, the 
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joining vector would be (0, 1, 1, 0) while in the second example according to fig. 6 the 
joining vector would be (1, 0, 0, 1). 

As mentioned above, a major issue with regard to the setup of a transmission system is 
5 the chosen issuing scheme, i. e. how the different base key combinations are distributed 
among the receivers. 

The main parameters governing the issuing scheme are the maximum number of receiv- 
ers N, the number of base keys held by each receiver m and the total available number 
10 of base keys k. 

Trincipally the number m of base keys available af the T receivers may differ. However, in 

the following, only such issuing schemes will be regarded, where m is the same for all 
receivers. It can be shown, that the redundance of these issuing schemes is at least equal 
15 to, and in most cases better than that of issuing schemes where the number base keys at 
each receiver differs. 

It should be noted, that the value m for practical applications should generally be kept 
low. Since preferred systems include a large number of receivers, the corresponding 
20 decryption means (decryption unit 34) and key storage means (database 14.1, 14.2, 14.3, 
14.4) are needed in large numbers, so that it is preferable to be able to use inexpensive 
hardware. Such inexpensive hardware, however, will not be able to store a large number 
of keys. 

25 The above given communication examples with regard to fig. 4, fig. 5 and fig. 6 illus- 
trate how secure multicast may be achieved for the different joining vectors. In these 
examples, the messages were delivered to all authorized receivers (with a 1 entry in the 
joining vector) in only one transmission. However, this may not always be possible. 
Depending on the joining vector and the issuing scheme there will be situations where 

30 two transmissions are necessary to reach all authorized receivers, i. e. a first transmis- 
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sion to reach a first subgroup of the authorized receivers and a second transmission to 



reach the remaining authorized receivers. In the same way, three, four or more tonsmis- 
sions may be necessary. In the worst case, the number of transmissions may be equal to 
the number of receivers. Of course, if a large number of transmissions are necessary, the 
5 overall efficiency of the transmission system is reduced. 

Therefore, the number of transmissions necessary, which will be termed "redundancy" 
here, defines the performance of the transmission system. As stated above, this depends 
on the joining vector and the issuing scheme. Since joining behavior during operation of 

10 a transmission system is not known in advance, in most cases may only be described 
stochastically, and may even be completely random, it is desirable to chose an issuing 
scheme with a good^ver^l^erformance. The redundancy of ah issuing scheme may; 
for example, be measured as an average redundancy over a large number, or even all 
possible 2 N joining vectors. Redundancy may also be defined as worst case, i. e. maxi- 

1 5 mum number of necessary transmissions over a large group, or all, joining vectors. 

As already mentioned, for evaluation of different issuing schemes, we call an issuing 
scheme exhaustive if all possible sub-combinations of base keys are indeed assigned to 
individual receivers. Consequently, an issuing scheme will be call minimally exhaus- 
20 tive, if only a very small part of the possible combinations is used as receiver key sets. 
A medium exhaustive issuing scheme is in between these two extremes, using more of 
the possible combinations than a minimally exhaustive, but less than an exhaustive issu- 
ing scheme. It has been found, that with regard to issuing scheme performance, medium 
exhaustive issuing schemes tend to have a lower redundancy. 



25 



30 



In fig. 7 and fig. 8 are examples given for different issuing schemes with six receivers 
(N=6). Fig. 7 shows a tetrahedral scheme with k=4 base keys, out of which each re- 
ceiver set contains m=2. 



Thus, the issuing scheme of fig. 7 is maximally exhaustive 
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10 



The hexagonal issuing scheme of fig. 8 has k=6 base keys, out of which each receiver 

" _15 the actually used N=6 combinations make 



5 set contains m=2. Since here 



the hexagonal issuing scheme of fig. 8 medium exhaustive (only 40% of all combina- 
tions are used). 

Now let us consider the above issuing schemes for a joining vector of (1,0,1,1,0,1). Ob- 
viously, in both cases it is not possible to transmit a message to all four authorized re- 
ceivers Rl, R3, R4, R6 in only one transmission. Instead, the tetrahedral issuing scheme 
of fig. 7 necessitates four transmissions: 



15 

Receivers Reached Base Key Combination Used 
Rl kl, k2 

R3 kl,k4 
R4 k2,k3 
20 R6 k3, k4 

Thus, in the given example the joining vector is so unfavorable with regard to the given 
issuing scheme, that the message needs to be transmitted in four unicast transmissions. 
However, the same joining vector necessitates only two transmissions in the issuing 
25 scheme according to fig. 8: 



Receivers Reached Base Key Combination Used 

R1,R6 kl 
R3, R4 k4 

30 

It can be shown, that for the hexagonal scheme of fig. 8 the worst case redundancy is 3, 
i. e. a maximum of 3 transmissions is necessary. Thus, in a transmission system with six 
receivers, the worst-case redundancy can be reduced from 4 to 3 by issuing and storing 
two additional base keys. 



35 
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Generally, the following approach can be used to find optimized issuing schemes. The 
algorithm given below actually evaluates average and/or worst case redundancy of a 
large number of issuing schemes for all possible joining vectors, to find an optimum or 
near optimum solution: 

1. For all N (number of receivers), e.g. from 10-100: 

2. Make a list L schcmes of all possible issuing schemes of length N 

3. For all issuing schemes in L schemcs : 

4. Make a list L joining all 2 N possible joining vectors 

5. For all joining vectors in L joining : 

6. Determine redundancy of the present issuing scheme for the present join- 

— ing vector. _ _.. ... 

7. Determine average and/or worst case redundancy of the present issuing scheme 
8. Determine the best issuing schemes out of L schemcs with regard to average and/or 
worst case redundancy 

It should be noted that running the above given algorithm for a large range of lengths N 
will be a computationally very complex task. However, the optimization needs to be run 
only once in advance to establishing a messaging system. Since no real time require- 
ments need to be fulfilled, there should be enough processing capacity available to per- 
form the above optimization. 

A special class of issuing schemes are grouped issuing schemes. The total of receivers is 
subdivided into receiver groups. For every group, there is a set of base keys available. 
The base key sets of different groups are pairwise disjoint. 

Fig. 9 shows a general example of the grouped issuing scheme, where each group has a 
size g of receivers, and every receiver has g-1 base keys.For group 90a, which contains 
receivers Rl-R g , base keys kl to 1% are available. For a second group 90b, which con- 
tains g receivers Rg+i - R 2g , there are also g keys k^i to k 2g available. 
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It should be noted, that in fig. 9, that the issuing schemes within the individual groups 
90a, 90b are identical. Thus, when performing the above given optimization algorithm, 
a suitable issuing scheme found for a certain number N of receivers may be employed in 
a grouped issuing scheme for groups of size N. Thus, for communication systems with a 
5 large number of receivers, e. g. more than 10.000, the algorithm need not be executed 
with N=10.000, but the 10.000 users could be subdivided into 100 groups of group size 
100, and an optimized issuing scheme determined by the above algorithm for N=100 
can be used within each of these groups. 

10 As explained above, it is computationally advantageous to use the RSA algorithm for 
encryption, and to use keys which share the same base n. In grouped issuing schemes, it 
is preferred that only the keys within thesame group share the same base n, which may ~ 
reduce potential security problems and simplifies key generation. 

1 5 After an issuing scheme for an intended maximum number of receivers N (or a corre- 
sponding group size) has been determined, and the required number of base keys has 
been generated, a data transmission system can be set up in the following way: A status 
list with 3 possible entries, "active", "inactive", "unused" per predetermined receiver 
key set is generated, where initially all values are "unused". This status list is main- 

20 tained throughout the whole Ufetime of the communication system, giving the informa- 
tion about the corresponding subscriber's state. Also, a list of identifiers for users that 
left the service is kept (left-list). 

Now, the individual receivers join the system. Upon joining of a receiver, it is first de- 
25 termined if the receiver is in the left-list. If this is the case, the receiver is handed out the 
receiver key set that he previously held. The corresponding status tag is changed from 
"inactive" to "active". If the joining receiver is not contained in the left-list, an (e. g. the 
first) predetermined user key set that has status "unused" is handed out to the user. The 
corresponding status tag is set to "active". 

30 
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If the receiver leaves, the status is changed from "active" to "inactive". For security rea- 
sons, it should be avoided to send a new receiver key set to a re-joining receiver. It can- 
not be excluded that receivers keep copies of previous key sets, so that after leaving and 
re-joining several times a receiver could collect a large number of keys, which would 
5 allow to decipher almost every transmission, at least for a significant period of time. 

If the lifetime of the transmission system is long compared to the average joining time 
of users, the system operator may find that after time the space of available key sets will 
be near exhaustion. In this case, it is proposed to exchange one or more base keys. If for 

10 all of the receiver key sets which contain the exchanged base keys the corresponding 
status list shows an "inactive" entry, the key may simply be exchanged at the sender. If, 

however, a currently "active" user holds orieof the base keys which should be ex- 

changed, the newly generated keys can be securely distributed to these users by using 
the above encryption algorithm, where the new base key is the encrypted message. It 

1 5 should be noted, that unlike the initial sending of user key sets at subscription time, the 
transmission of exchanged base keys does not require a separate, secure channel. 

In the following, there will be some examples given for communication systems with a 
larger number of receivers. 

20 

In a first example, each receiver stores 10 keys. In total, there are 15 base keys available. 
This leads to approximately 3000 different possible key combinations, out of which only 
1000 (33%) are used to address a maximum of 1000 receivers. The individual combina- 
tions used (issuing scheme) is determined using the given algorithm for N=1000. 

25 

In a second example, the total of receivers is subdivided into groups of a maximum of 200 
receivers. The total number of receivers is unlimited. Each receiver holds 8 keys out of a 
total number of 12 available base keys per group. A medium exhaustive issuing scheme 
(40% of the possible 495 combinations used) is determined with regard to minimum worst 
30 case redundancy. 
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In a third example, there are in total 30 base keys available, out of which each receiver 
holds 157There is thus a key large number of combinations available (more than 155 mil- 
lion), so that even with a medium exhaustive issuing scheme a large number of receivers 
may be addressed. 

In the following, an extension of the above described data transmission system to a 
broadcasting system will be described. 

Fig. 10 shows the general structure of a broadcasting system 100. The broadcasting sys- 
tem 100 has a broadcasting sender Sb. A content source 102 continuously delivers con- 
tent data Fl, F2, F3... to broadcasting sender Sb. Also, a multicast key generator 104 
continuously delivers multicast keys mi, m 2 , m 3 ». to broadcasting sender Sb. Broadcast- 
ing sender Sb includes a scrambling unit 1 10 as shown in fig. 1 la. Scrambling unit 1 10 
scrambles a received content data F to a scrambled content data F using a scrambling 
key (multicast key) m. 

Broadcasting sender Sb continuously broadcasts scrambled content data. The delivered 
content data Fl, F2, F3... is continuously scrambled with the delivered multicast key m u 
m 2 , m 3 ... and the resulting scrambled content data Fl', F2 1 , F3 1 ... is broadcast. 

The scrambled broadcast data can be received by an principally unlimited number of 
receivers. Here again, the broadcasting media or channel will not be further regarded. 

The broadcasting system 100 further comprises a sender S, which is identical to the 
sender S from the communication system according to fig. 1, and which holds a number 
of base keys as described in connection with that figure. Sender S also continuously 
receives the multicast keys mi, m 2 , m 3 ... from key generating unit 104. Sender S has 
included or associated therewith storage means with information about authorized and 
non-authorized receivers. Sender S continuously encrypts the actual multicast keys mi, 
m 2 , m 3 ... recursively with a selected combination of base keys and broadcast the thus 
encrypted key information as an encrypted message 106. 
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The broadcasting system further includes 4 receivers Rl, R2, R3, R4. On one hand, 
these receivers correspond to those in communication system 10 according to fig. 1, and 
include recursive encryption units 24 and key data bases 14. The distribution of base 
5 keys among the receivers is the same as given in fig. 1 . On the other hand, the receivers 
Rl, R2, R3, R4 each include a de-scrambling unit 112 and a multicast key storage 114. 

Fig. 1 lb illustrates a de-scrambling unit 112, which processes scrambled content data F. 
The data F is de-scrambled using a multicast key m retrieved from multicast key stor- 
10 age 1 14 to reconstruct clear text data F. The scrambling unit 1 10 in the sender and the 
de-scrambling unit 1 12 of the receivers operate inverse to each other. For the scram- 
bling and d^cr^bling operation generally any type of ehcrj^tionln^o^lnay^ be 
used. It is preferred to use a fast block cipher. 

15 Next, the operation of the broadcasting system 100 will be described. Broadcasting sys- 
tem 100 could be, for example, a pay-TV system where TV content is continuously 
broadcast in scrambled form, and only subscribing users (authorized receivers) should 
be able to view the content. The system is adapted to be highly dynamic, so that e. g. 
pay-per-view is possible. Therefore, the scrambling key (multicast key) is changed quite 

20 often over time, e. g. every minute. 

The actual TV content data Fl, F2, F3... delivered from source 102 is continuously en- 
crypted using the multicast keys valid a different points in time. Fig. 12 shows a sym- 
bolic representation of the content data continuously scrambled with changing multicast 
25 keys m u m 2 , m 3 ... 

In parallel t o the scrambled broadcasting of broadcasting sender Sb, sender S continu- 
ously distributes the multicast keys valid at any given time to the authorized receivers. 
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In the example of fig. 1 0, only receivers R2 and R3 are authorized, while receivers Rl 
and R4 are not authorizedTKey generator 104 generates multicast key mi and delivers it 
to both broadcasting sender Sb and sender S. Sender S encrypts multicast key mi with 
base keys kl, k4 and sends the corresponding encrypted message 106 to all receivers. 
Due to the chosen combination of base keys, only authorized receivers R2 and R3 can 
decrypt the message and receive multicast key mi. Receivers R2 and R3 each store mul- 
ticast key mi in their respective key storage 1 14.2, 1 14.3. Receivers Rl and R4 cannot 
decrypt encrypted message 106, so that their respective key storage 1 14.1, 1 14.4 does 
not contain the valid multicast key mi. 

Broadcasting sender Sb in parallel scrambles current program feature Fl with current 
multicast key mi andTSfbaacasts thlFscrambled content data 7FV to all receivCTsTWEile 
all of the receivers R1-R4 receive the encrypted data, only authorized receivers R2, R3 
have previously obtained the current multicast key mi, so that they can de-scramble the 
message Fl f to retrieve the current TV feature Fl . 

The above described operation is continuously repeated with consecutive features Fl, 
F2, F3... and continuously changing multicast keys mi, m 2 , m 3 ... In case of subscriber 
changes (e. g. receiver R3 does not subscribe to feature F3) the sender S is notified and 
correspondingly the encryption of the multicast key m 3 is changed. In the given exam- 
ple, sender S would encrypt multicast key m 3 recursively with base keys kl, k3, k4 so 
that only subscribed receiver R2 could receive the multicast key m 3 and consequently 
de-scramble feature F3. 

It should be noted, that while in the example of fig. 10 broadcasting sender Sb and 
sender S are shown as separate entities, they may in fact be combined. Especially, the 
encrypted key data 106 and the scrambled content data Fl f may be transmitted in the 
same way over the same channel, and preferably combined together as a single stream 
of data. 
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While the above description shows examples of communication systems, communica- 
tion within these systems, issuing schemes, communication methods, operating meth- 
ods, and broadcasting systems and methods, these examples were chosen merely for 
illustrative purposes and should not be construed as limiting the scope of the present 
invention. There are a number of modifications and extensions of the above systems and 
methods possible. 
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. CLAIMS 



1 . System for selective data transmission with 

- a sender (S) 

- and at least a first and a second receiver (Rl , R2), 

- with encryption means (24) associated with said sender (S), said encryption 
5 means (24) comprising a plurality of base keys (kl , k2, k3, k4), 

a transmission channel (C) from said sender (S) to said receivers (Rl, R2) for 
transmission of encrypted data (42, 52, 62, 106), 

and with decryption means (34) associated with each of said receivers (Rl, R2), 
said decryption means (34) each comprising a receiver set of keys, where each 
1 0 receiver set of keys is a subset of said base keys (kl , k2, k3, k4), 

- where for transmission of data (40) at least to said second receiver (R2), said en- 
cryption means (24) are configured to encrypt said data (40) recursively with at 
least two keys (kl, k3, k4), said keys being comprised in said receiver set of said 
second receiver (R2), and at least one of said keys (k4) not being comprised in 

15 said receiver set of said first receiver (Rl), 

- and were said decryption means (34) of said second receiver (R2) are configured 
to decrypt said data (42, 52, 62, 106) recursively with said at least two keys (kl, 
k3, k4). 

20 2. System according to claim 1, 

- said system (10) further comprising a third receiver (R3) with decryption means 
(34.3) comprising a receiver set of keys which is a subset of said base keys (kl, 
k2,k3,k4) 
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= — where.said receiver sets of said first, second and thkd.receiver_(Rl, JR2, JR3) are 

pairwise different, 

- and where said receiver set of said second receiver (R2) and said receiver set of 
said third receiver (R3) comprise at least two common keys (kl, k4) where at 

5 least one of said at least two common keys (kl , k4) is not comprised in said re- 

ceiver set of said first receiver (Rl), 

- and where for transmission of data (40) to a group at least comprising said sec- 
ond receiver (R2) and said third receiver (R3), said encryption means (24) are 
configured to encrypt said data (40) recursively with at least said two common 

10 keys (kl, k4), 

= ?^ whpre said decryption means (34.2, 34.3) of said sec ond and third receiver 

(R2, R3) are each configured to decrypt said data (42, 52, 62, 106) recursively 
with at least said two common keys (kl, k4). 

15 3. System for selective data transmission according to one of the above claims with 

- a plurality of receivers (Rl, R2, R3, R4), each with associated decryption means 
(34) with a receiver set of keys, where said receiver sets are pairwise different, 

- where an authorized group of said receivers (R2, R3) is authorized to receive 
said data, 

20 - and where for transmission of said data (40) to the receivers of said authorized 
group, said encryption means (24) are configured to encrypt said data (40) recur- 
sively with a plurality of keys (kl, k4), all of said keys being comprised in said 
receiver sets of the receivers of said authorized group, and for each receiver not 
belonging to said authorized group (Rl), at least one of said keys not being com- 

25 prised in the corresponding receiver set, 

- and were said decryption means (34) of the receivers of said authorized group 
- (R2, R3) are configured to decrypt said data (42, 52, 62, 106) recursively with 

said plurality of keys (kl, k4). 
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4. System according to claim 3, where - 

- said authorized group of receivers is divided into at least two subgroups, 

- and for transmission of said data (40) to the receivers of said authorized group, 
said data is transmitted to said receivers in at least two transmissions, where in 

5 each transmission the data is encrypted recursively with a different set of keys, 

all of said keys being comprised in said receiver sets of the corresponding sub- 
group of receivers. 

System according to one of the above claims, where 

- said encryption means (24) are configured for recursive encryption with a plural- 
ity of encryption steps, where in each encryption step a piece of data (D) is en- 
crypted with a key (kl) to calculate an encrypted piece of data (Dl), 

- where each of said encryption steps includes calculation of at least one exponen- 
tiation with a key number associated with said key (kl), 

- said encryption means being configured to recursively apply said encryption 
steps with a plurality of keys (kl, k2... kn) by multiplying key numbers associ- 
ated with said keys, and calculating an exponentiation with the result of said 
multiplication. 

20 6. System according to one of the above claims, with 

- a plurality of receivers, 

- where said receivers are divided into a plurality of groups (90a, 90b), 

. where for each of said groups (90a, 90b), the encryption means (24) comprise a 
group set of base keys, said group sets being pairwise different from each other, 
25 - and the decryption means (24) of each of said receivers comprise a receiver set 
of keys, which is a subset of the group set of the group that the respective re- 
ceiver is a member of 
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System according to one otthe above claims, with 



a plurality of receivers (R1-R4), with decryption means (34) associated with 
each of said receivers (R1-R4), said decryption means (34) each comprising a 
receiver set of keys, where each receiver set of keys is a subset of said base keys 
(kl-k4), 

where each of said receiver sets of keys comprises the same number of base 



System according to one of the above claims, with 

- a plurality of receivers, 

- and storage means associated with said sender (S) which store information about 
a first, authorized group of receivers out of said plurality of receiversrand/OT 
about a second, unauthorized group of receivers out of said plurality of receiv- 
ers, 

- where said sender (S) comprises distribution control means for controlling mes- 
sage transmission, said distribution control means being configured to determine 
one or more combinations of said base keys (kl-k4), such that messages recur- 
sively encrypted with said combinations are decryptable only at said receivers 
belonging to a first group, and are not decryptable at said receivers belonging to 
said second group. 

System according to one of the above claims, with 

- a number k of base keys, 

- and a number N of receivers, and with decryption means associated with each of 
said receivers, said decryption means each comprising a receiver set of keys, 
where each receiver set of keys is a subset of said base keys, 

- where , . each receiver set of keys contains a number m of said base 
keys, [ m) 

- where is substantially greater than N. 
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10. Sender for use in a transmission system according to one of the above claims, with 

- encryption means (24) comprising a plurality of base keys (kl-k4) ? said encryp- 
tion means (24) being configured to encrypt data (40) recursively with at least 
two of said base keys (kl-k4), 

- and transmission means (26) for transmitting said encrypted data (D f ) over a 
transmission channel (C). 

1 1 . Receiver for use in a transmission system according to one of claims 1-9, with 

- receiving means (32) for receiving encrypted data (D 1 ) of a transmission channel 

(C), „ _ 

- and decryption means (34) comprising a receiver set of keys, 

- where said decryption means (34) are configured to decrypt said encrypted data 
(D ! ) recursively with at least two of said keys. 

12. Broadcasting system with 

- scrambling means (1 10) for scrambling content (F) with a scrambling key (m), 

- a broadcasting sender (Sb) for broadcasting said scrambled content (F) over a 
channel, 

- said broadcasting system further comprising a selective data transmission system 
according to one of claims 1-9 with a sender (S) and receivers (R1-R4) for selec- 
tively transmitting the scrambling key (m), 

- where said receivers (R1-R4) each comprise de-scrambling means (112) for de- 
scrambling said scrambled content (F) with said scrambling key (m). 

13. Method for selective data transmission, where encrypted data is transmitted 

- from a sender (S) comprising a plurality of base keys (kl -k4), 

- to at least a first and a second receiver (Rl , R2), each comprising a receiver set 
of keys, where each receiver set of keys is a subset of said base keys (kl-k4), 
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= — where for selective transmission o£data two.set&econd receiver (R2) said 

method includes the following steps: 

- at said sender (S), encrypting said data (40) recursively with at least two keys 
(kl, k3, k4), said keys (kl k3, k4) being comprised in said receiver set of 
said second receiver (R2), and at least one of said keys (k4) not being com- 
prised in said receiver set of said first receiver (Rl), 

- transmitting the encrypted data (42, 52, 62) over a transmission channel (C), 

- and, at said second receiver (R2), decrypting said encrypted data (42, 52, 62, 
106) recursively with said at least two keys (kl, k3, k4). 

14, Method according to claim 13, said method further comprising the steps of 

- determining at least one base key (kl , k2, k3, k4) to exchange, 

- generating at least one new base key, 

- encrypting the new base key recursively with a plurality of base keys, and trans- 
mitting the thus encrypted key to a plurality of receivers. 

15. Method for operating a system including a sender (S) and a plurality of receivers 
(R1-R4), said method comprising the steps of 

- determining an issuing scheme for issuing a number of base keys (kl -k4) to a 
number of receivers (Rl -R4), where each of said receivers (Rl -R4) holds a 
number of said base keys (kl-k4), 

- generating said base keys (kl -k4), 

- and, upon joining of said receivers (Rl -R4), distributing said base key (kl -k4) to 
said receivers (R1-R4) according to said predetermined issuing scheme. 
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ABSTRACT 

System for selective data transmission 

5 A system and method for selective data transmission is described. The system includes a 
sender S and a plurality of receivers R1-R4. The sender has associated encryption 
means 24 comprising a plurality of base keys kl-k4. The receivers R1-R4 each have 
associated decryption means 34 each comprising a receiver set of keys, where each re- 
ceiver set of keys is a subset of the base keys kl-k4. For secure, selective transmission 
10 of data to a first, authorized group of receivers the encryption means are configured to 
encrypt the data recursively with at least two of said base keys, which are all comprised 
in the receiver sets of the authorized group of receivers, and where at least one of these 
keys is not comprised in each receiver set of the non-authorized group of receivers. 
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Fig. 2a Fig. 2b 
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